Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Sep 2015 15:02:06 +0200
From: MinRK <>
Cc: security <>, Kyle Kelley <>, 
	Jonathan Kamens <>, Scott Sanderson <>
Subject: CVE Request: Maliciously crafted text files in IPython/Jupyter editor

Email address of requester:,,,,

Software name: IPython notebook / Jupyter notebook
Type of vulnerability: Maliciously forged file
Attack outcome: Possible remote execution

Vulnerability: A maliciously forged file opened for editing can execute
javascript, specifically by being redirected to /files/ due to a failure to
treat the file as plain text.

Affected versions:

- IPython 3.0 ≤ version ≤ 3.2.1
- notebook 4.0 ≤ 4.0.4

URI with issues:

- GET /edit/**


- IPython 3.x: 0a8096adf165e2465550bd5893d7e352544e5967 (
- Jupyter 4.0.x: 9e63dd89b603dfbe3a7e774d8a962ee0fa30c0b5 (


Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available.
If using pip,

    pip install --upgrade "ipython[notebook]<4.0"  # for 3.2.2
    pip install --upgrade notebook # for 4.1 or 4.0.5

For conda:

    conda update conda
    conda update ipython "ipython-notebook<4.0" # for 3.2.2
    conda update notebook # for 4.1 or 4.0.5

Vulnerability reported by Jonathan Kamens at Quantopian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ